Fortinet Network Device IPS User Manual

FortiGate IPS User Guide Version 3.0 MR7

36

01-30007-0080-20080916

Creating custom signatures

Custom signatures

Use the --protocol tcp keyword to limit the effect of the custom signature to

only TCP traffic. This will save system resources by not unnecessarily scanning
UDP and ICMP traffic.

F-SBID( --name "Block.SMTP.VRFY.CMD"; --pattern "vrfy";

--service SMTP; --protocol tcp; )

The FortiGate unit will limit its search for the pattern to TCP traffic and ignore the
pattern in UDP and ICMP network traffic.

6

Ignoring case sensitivity

By default, patterns are case sensitive. If a user directed his or her browser to
Example.com, the custom signature would not recognize the URL as a match.

Use the --no_case keyword to make the pattern matching case insensitive.

F-SBID( --name "Block.SMTP.VRFY.CMD"; --pattern "vrfy";

--service SMTP; --no_case; )

Unlike all of the other keywords in this example, the --no_case keyword has no

value. Only the keyword is required.

7

Specifying the context

The SMTP vrfy command will appear in the SMTP header. The
--context host keyword/value pair allows you to limit the pattern search to

only the header.

F-SBID( --name "Block.SMTP.VRFY.CMD"; --pattern "vrfy";

--service SMTP; --no_case; --context header; )